SlowMist: Beware of Solana Wallet Owner Permission Tampering Attacks

ChainCatcher reported that the SlowMist security team has issued a security alert regarding a recent phishing attack. A user recently fell victim to a phishing attack, resulting in the transfer of their account Owner permissions. The user attempted to revoke authorization but was unable to do so. Over $3 million worth of assets have already been stolen from the user, and an additional $2 million worth of assets were stored in DeFi protocols but could not be transferred. Currently, with the assistance of the relevant DeFi protocols, the approximately $2 million in assets have been successfully rescued.

This attack is not a traditional "authorization theft," but rather the attacker's replacement of core permissions (Owner permissions), causing the victim to be unable to transfer funds, revoke authorizations, or operate DeFi assets. Although the funds "appear normal," they are no longer under the victim's control. The attacker used two counterintuitive scenarios to successfully trick the user into clicking: 1) Normally, when signing a transaction, the wallet simulates the execution result of the transaction, and any fund changes will be displayed in the interface. However, the attacker's carefully crafted transaction showed no fund changes; 2) Traditionally, Ethereum EOA accounts are controlled by private keys, and users may not be aware that Solana accounts have the feature of modifying account ownership. SlowMist reminds users to be vigilant when authorizing signatures and to confirm whether there are any hidden operations such as modifying Owner or other high-risk permissions.